Splunk Technology Vulnerability Exploit
A recently fixed vulnerability affecting Splunk Enterprise on Windows is more severe than it initially appeared , according to SonicWalls threat researchers . Several PoC exploits have been published , including one by IT consultant Mohamed Nabil Ali that performs bulk scanning for vulnerable internet - facing endpoints and attempts to read the /etc / passwd file.
Splunk Enterprise is a data analytics and monitoring platform that allows organization to collect and analyze machine - generated data from a variety of sources , such as network and security devices , servers , etc.
CVE-2024 - 36991 , discovered by Danylo Dmytriiev , is a path traversal vulnerability in Splunk Web , the platforms user interface , and allows attackers to traverse the file system to access files or directories outside the restricted directory ( /modules / messaging/ ) . The vulnerability exists because of the Python os.path.join function that removes the drive letter from path tokens if the drive in the token matches the drive in the built path , SonicWalls researchers explained.
CVE-2024 - 36991 affects Splunk Enterprise versions below 9.2.2 , 9.1.5 , and 9.0.10 , but only on Windows , and only if the Splunk Web component is turned on.
Although Splunk is famous mainly for dev environments , up to 230k exposed servers are running Splunk according to Fofa , the threat researchers noted , and advised admins to implement the patch immediately.
Exploitation Risk Mitigation
An attacker only needs to be able to access the instance remotely , which could be over the Internet or a local network , they added . Disabling Splunk Web also removes the risk of exploitation , though upgrading to a fixed version is preferred . Splunks Threat Research team has provided a search query to detect exploitation attempts against /modules / messaging endpoint.
Organizations using Splunk Enterprise on Windows versions earlier than 9.2.2 , 9.1.5 , and 9.0.10 have been urged by SonicWall to immediately apply fixes for a high - severity path traversal vulnerability , tracked as CVE-2024 - 36991 , which could be abuse to facilitate endpoint directory listing and sensitive data access , reports SecurityWeek.
Attackers looking to leverage the security issue could do so remotely through the delivery of a crafted GET request to an impacted Splunk instance with activated Splunk Web , according to SonicWall , which noted the increased odds of flaw exploitation following the recent release of a proof - of - concept code on GitHub.
Crowdstrike and Common Vulnerabilities and Exposures
Aside from implementing the update released by Splunk earlier this month , organizations with vulnerable instances could also deactivate Splunk Web to curb potential compromise , SonicWall noted . Considering the severe consequences of this vulnerability and the trend of nefarious actors trying to leverage the exploit in the wild , users are strongly encouraged to upgrade their instances in accordance with the Splunk advisory to address the vulnerability.
Business
